A Look at the Proposed Treatment of De-Identified Data
On June 17, 2021, the Ontario government released a whitepaper outlining proposals to strengthen privacy protections in the province with a new private sector privacy law, and is asking for feedback on these proposals, which are based on seven key themes. As Ontario Commissioner Patricia Kosseim pointed out in her first annual report published on June 24, 2021, the timing for a private sector privacy law in Ontario is no coincidence, with a wave of legislative reforms happening across the country and around the world.
The whitepaper was released shortly after the Office of the Privacy Commissioner of Canada (OPCC) provided comments on Bill C-11, as discussed in PRIVATECH’s May blog article. Ontario is proposing a private sector law that mirrors Bill C-11 in some respects, for example, by supporting a consent model with consent exemptions, and by introducing similar administrative monetary penalties. However, there are a number of departures from Bill C-11 as well – first and foremost Ontario clearly intends to recognize privacy as a fundamental right.
This article focuses on a key parting from Bill C-11 with respect to how de-identified personal information is addressed. Bill C-11 creates a model whereby the new federal privacy law would apply even when the risk of re-identification is for the most part non-existent. The Ontario whitepaper recognizes the need for clear definitions and extending certain requirements to de-identified information, such as implementing a privacy management program and ensuring de-identified data is protected by security safeguards. However, the whitepaper also states that organizations should be able to de-identify personal information without obtaining consent, by means of a risk-based approach, and should not be required to respond to an access, portability or deletion request for de-identified personal information.
Meanwhile, it is proposed that anonymized data be carved out of the Ontario law. Anonymized information would be defined as data that has been altered irreversibly so that an individual can no longer be identified directly or indirectly by any means or any person.
The Ontario whitepaper essentially incentivizes the use of de-identified and anonymized personal information with the goal being to support Ontario innovators engaging in “data analysis in a privacy-protective manner”. This proposal is a critical improvement over Bill C-11 where a definition of “de-identify” appears that captures anonymized data and thus leads to much confusion.
The remaining difficulty is how our federal and provincial laws in Canada will work together. If Bill C-11 plows forward as is, the federal law would apply if personal information crosses provincial boundaries. This would be the case for many Ontario businesses using de-identified data. If the federal law thus takes precedence and the conflicting definitions of de-identified/anonymized data persist, Ontario’s objective to promote innovation for the public good would be frustrated. As our privacy laws evolve, the concept of ‘substantial similarity’ is also swimming in muddied waters. The same is true when we consider who is investigating and imposing penalties when the proposed Ontario and federal privacy legal frameworks will apply. Will the OPCC defer to the Ontario IPC or double up on efforts? Considering effective use of taxpayer dollars and the need to offer clarity on compliance obligations to businesses, these issues must be addressed head on.
Feedback on the consultation is due August 3rd and I strongly encourage businesses and associations participate. There may be some scepticism as to whether Ontario will be able to actually succeed in introducing a provincial privacy law before the government is dissolved, given the election planned for next year. However, with strong motivation to push forward as a privacy leader with a made-in-Ontario approach, and knowing a privacy bill will fill existing gaps in coverage (such as for Ontario employers and charities), Ontario may just pull through and get privacy legislation off the ground.
For more information about the whitepaper or to better understand the privacy legal framework that applies to your organization, contact PRIVATECH.